In most cases, no — companies cannot share your personal data with third parties without your explicit consent under the Digital Personal Data Protection Act, 2023 (DPDP Act). Before sharing your data, the company must inform you about who will receive it and for what purpose, and you must give specific, informed consent. There are limited exceptions — government benefit programmes, medical emergencies, court orders, and employment-related processing — but these are narrowly defined. If a company shares your data without your consent outside these exceptions, it faces penalties of up to Rs 250 crore.
Why this matters
Your personal data is a valuable commodity. Companies routinely share customer data with advertisers, data brokers, analytics firms, and business partners — often without your knowledge. Your phone number gets sold to telemarketers, your browsing history gets shared with advertising networks, and your financial data gets passed to third-party service providers. The DPDP Act fundamentally changes this dynamic by making consent the foundation of all data sharing. Understanding these rules empowers you to control who sees your personal information.
Your rights regarding data sharing
1. Consent is mandatory for data sharing
Under Section 6 of the DPDP Act, any processing of your personal data — including sharing with third parties — requires your free, specific, informed, and unambiguous consent. The company must clearly disclose:
- That your data will be shared with third parties
- The identity of those third parties (or categories of recipients)
- The purpose for which it will be shared
In practice: When you sign up for a service, the privacy notice should clearly state whether your data will be shared and with whom. A vague statement like "we may share your data with partners" is not sufficient — the company must be specific about the purpose and recipients.
2. You can refuse consent for data sharing
You have the right to consent to the primary service but refuse consent for data sharing with third parties. A company cannot deny you a service simply because you refuse to let them share your data — unless the data sharing is essential to providing the service itself.
In practice: If a food delivery app asks for consent to share your location with the restaurant (necessary for delivery), that is legitimate. If the same app asks to share your data with an insurance company for marketing purposes, you can refuse without affecting the delivery service.
Important: Companies often bundle multiple consent requests together — "I agree to the terms and privacy policy." The DPDP Act requires consent to be specific to each purpose. A single blanket consent for all data processing, including sharing, does not meet the legal standard.
3. Purpose limitation applies to shared data
Even when you consent to data sharing, the third party receiving your data can only use it for the specific purpose for which it was shared. They cannot repurpose it for unrelated activities.
In practice: If your bank shares your data with a credit bureau for credit scoring purposes, the credit bureau cannot use that data to sell you insurance. The purpose limitation follows your data wherever it goes.
4. You can withdraw consent for data sharing
Under Section 6(4), you can withdraw your consent at any time. Once you withdraw, the company must stop sharing your data and direct all third parties who received it to delete it.
In practice: Look for data sharing preferences in the app or service settings. You should be able to revoke sharing permissions as easily as you granted them. If the withdrawal process is unnecessarily complicated, file a complaint with the company's Grievance Officer.
When companies can share data without consent
The DPDP Act recognises limited exceptions under Section 7 ("legitimate uses"):
| Exception | Example | Condition |
|---|---|---|
| Voluntary provision for specific purpose | You fill a form with your address for delivery | Only for that stated purpose |
| Government benefit/service | Aadhaar-linked subsidy distribution | For the specified government programme |
| Medical emergency | Hospital shares data with ambulance service | Threat to life or health |
| Employment-related | Employer shares salary data with tax authority | Legal compliance |
| Court or statutory order | Court orders production of records | Compliance with legal obligation |
| Public interest purposes | Epidemiological research during a pandemic | As prescribed by government |
In practice: Even under these exceptions, only the minimum necessary data should be shared, and it cannot be repurposed beyond the specific exception.
What if things go wrong
If a company shared your data without consent
Document the evidence — how you discovered the sharing, what data was shared, who received it, and any harm caused. File a formal complaint with the company's Grievance Officer citing Section 6 of the DPDP Act. If the company does not respond within 30 days, escalate to the Data Protection Board of India.
If you start receiving spam after using a service
This likely means the company shared your contact details with third-party marketers without your consent. Document the spam (screenshots with dates), identify the company that likely shared your data, and file complaints with both the company and the Telecom Regulatory Authority of India (TRAI) for unsolicited commercial communications.
If a data breach exposes your shared data
Under Section 8(6) of the DPDP Act, the company must notify the Data Protection Board and you about the breach. If the breach occurred because the company shared your data with a third party that had inadequate security, the original company remains liable.
If a company says "consent was in the terms of service"
A buried clause in a lengthy terms of service that you scrolled past does not constitute valid consent under the DPDP Act. Consent must be specific, informed, and given through a clear affirmative action. Challenge this with the company's Grievance Officer and the Data Protection Board.
Documents and resources you need
- DPDP Act, 2023: Full text at meity.gov.in
- Company's privacy policy: Read the data sharing section carefully
- Grievance Officer contact: Listed on the company's website
- Data Protection Board of India: For escalated complaints
- TRAI DND registration: To register for Do Not Disturb and report spam (call 1909 or send START DND to 1909)
- Screenshots and evidence: Of unwanted communications or discovered data sharing
Common myths
Myth: If you agreed to the privacy policy, the company can share your data with anyone. Reality: Privacy policy acceptance does not equal blanket consent for unlimited data sharing. The DPDP Act requires specific consent for each data sharing purpose. Companies must clearly identify who receives your data and why.
Myth: Anonymised data can be shared without consent. Reality: The DPDP Act applies to personal data that can identify you. If data is genuinely anonymised (cannot be re-identified), it falls outside the Act's scope. However, many forms of "anonymisation" are reversible, and regulators scrutinise such claims carefully.
Myth: Only tech companies share data — banks and hospitals do not. Reality: Banks share data with credit bureaus, payment processors, and marketing partners. Hospitals share data with insurance companies, pharmacies, and research institutions. The DPDP Act applies to all entities processing digital personal data, across all sectors.
Myth: Companies outside India do not have to follow Indian data laws. Reality: The DPDP Act applies to foreign companies that process personal data of individuals in India or offer goods and services to people in India. WhatsApp, Google, Amazon, and Meta all fall within scope.
The law behind this
| Provision | DPDP Act Section | Protection |
|---|---|---|
| Consent required for processing/sharing | Section 6 | No sharing without your explicit, informed consent |
| Notice before consent | Section 5 | Company must tell you who receives your data |
| Withdraw consent anytime | Section 6(4) | You can revoke sharing permissions |
| Purpose limitation | Section 4 | Shared data can only be used for stated purpose |
| Data breach notification | Section 8(6) | You must be informed of breaches |
| Grievance redressal | Section 13 | File complaints with Grievance Officer and DPB |
| Penalties for non-compliance | Section 18 | Up to Rs 250 crore per violation |
Frequently asked questions
Can a company sell my data to advertisers? Not without your specific consent. Selling personal data to advertisers is a form of data sharing that requires your informed agreement under the DPDP Act. If a company sells your data without consent, it faces penalties.
What about data shared with government agencies? Government access is a legitimate use under Section 7 of the DPDP Act, but only for specified purposes like providing benefits, services, or complying with legal obligations. The government cannot access your data without a legal basis.
Can I find out who my data has been shared with? Yes. Under Section 11, you have the right to ask any company for the identities of all entities with whom your data has been shared. The company must respond within 90 days.
What if I consented to data sharing in the past but want to stop it now? Exercise your right to withdraw consent under Section 6(4). Send a written request to the company's Data Protection Officer or Grievance Officer. The company must cease sharing and direct recipients to delete your data.